Escape from Security Mode in 9S12DG256

During a flashprocedure of a new development with a MC9S12DG256 I obviously cleared the Security Byte ($FF0F) by accident, i.e. including the backdoor access..

I do not get a connection with my BDM (a part offered by Kevin Ross) to FLASH, EEPROM and RAM.

But I can read and write to the registers. (See Dump of the RegPage in the attachment).

The contents of the REGS page can be found mod $400 of the complete adress range.

The control of the output pins works fine.

Reading through the Specification and the application note AN2206 I still am not clear how to escape from the Security Mode. (btw. I have doubts the sequence given there on page 9 really works, as Command $20 is a PROG and not a MASSERASE.)

here is my sequence ("ew" edits words, "eb" edits bytes):

---->

reset //with MODA = MODB = MODC = 0

eb 100 4a //write $4a to $100; FCLK set for 16MHz crystal

eb 102 10 //write all

ew 104 FFFF //FPROT set to FF; FSTAT clear all bits

ew f000 0000 // write something to page

eb 106 41 //FCMD: MASS ERASE

eb 105 80 //GO

reset //Reset to Special Mode to enable background check for erased FLASH according spec.

eb 100 4a //FCLK init again

ew 104 FFFF //open Prot and clear FSTAT bits again

ew ff0e fffe //SECURITY set to FE

eb 106 20 //FCMD: prog

eb 105 80 //go

<----

One very strange behavior of FSTAT is the result of $C1 instead of $C0 after the command is started. Accordung the Secification the LSB should always read zero.

I tried several similar sequences also delays before and after "reset". Unfortunately w/o effect.

Do you have an idea what my problem could be?

The accidential erasure is not very unlikely. ist there a standard escape sequence available, when no ext ROM ist available?

"The ACCERR flag will not be set if any Flash register is read during the command sequence."

I'm not familiar with the details of the software that you are using to maniplulate the registers, but you should try to use commands that do NOT attempt to verify the writes to the flash control registers.

It may be a good idea to check BDM communication by reading PARTID or some other readable register BEFORE attempting the unsecure sequence.

As you are demonstrating, it would be a help to include unsecuring instructions with any BDM software.